Personal Data Privacy Policy

Pursuant to the Regulation 2016/679 of the European Parliament and of the Council on General Data Protection – GDPR – concerning the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Version: 1.0 / 11/06/2019

1. PERSONAL DATA PRIVACY POLICY

Our main objective at BeLazy Ltd. is to satisfy the needs of our clients through our translation project management services enabling them to attain, as far as possible, measurable financial benefits by operating their system(s).

Our firm, BeLazy Ltd., as a data controller and a responsible company, has a voluntarily recognized mission to protect personal data to provide lawful, flexible and authentic guarantees for privacy protection to both its customers and other private persons as data subjects.

Within data protection, our main objective is to employ juridical, IT and management solutions pursuant to the EU Regulation No. 2016/679 on General Data Protection (also known as: “GDPR”) as well as to Irish statutes and thereby facilitate the enforcement of the rights and interests of private persons as data subjects associated internally or externally with our Company.

It is one of our core goals to ensure the highest possible security in our processes and operations connected to data processing, to do everything possible to prevent data breaches, which cannot be avoided with 100% certainty even with the technological advances in today’s information society.

To this end, we accurately identify and evaluate the specific data processing operations, we have developed solutions for the record-keeping of data processing, we carry out the necessary risk management and take measures to mitigate and eliminate the identified risks.

We, at BeLazy Ltd., as a data controller (hereinafter: Data Controller or Controller), inform the individuals concerned (data subjects) that in this Personal Data Privacy Policy we aim at providing a concise and comprehensible description of our personal data processing, of the rights pertaining to the data subjects and of the guarantees provided by us.

We, as data controller, carry out our data processing activities pursuant to the Regulation No. 2016/679 of the European Parliament and of the Council on General Data Protection, also known as GDPR, which fundamentally regulates the protection of natural persons with regard to the processing of personal data and the free movement of such data within the EEC and their transfer to third countries. States, which are not members of the EEC, are considered third countries.

The purpose of the Personal Data Privacy Policy is to describe those internal rules and measures which ensure and demonstrate (accountability) ex post our compliance as data controller towards the data protection authorities and private persons as data subjects.

The scope of the Personal Data Privacy Policy: This Personal Data Privacy Policy involves and details our Company’s processing of personal data pertaining to natural persons in any of their capacities (such as clients, partners, third persons).

3. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

Data of private persons may solely be processed if at least (minimum) one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

processing is necessary for compliance with a legal obligation to which the controller is subject;

processing is necessary in order to protect the vital interests of the data subject or of another natural person;

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

3.1. Conditions for Data Processing Based on the Consent by the Data Subject

Where data processing is based on consent, the data subject shall provide his/her written consent to the processing of his/her personal data. The consent has no formal requirements but for the sake of being able to demonstrate such consent ex post, it shall necessarily be provided in writing on paper or per email.

It shall be deemed as a definite, voluntary consent, if the data subject marks a checkbox pertaining to providing consent by taking a specific action (i.e. by his/her implied conduct) on the internet site maintained by the data controller, and chooses the relevant settings for information society services.

Silence, pre-ticked boxes or inactivity should not constitute consent.

Consent should cover all processing activities carried out for the same purpose or purposes.

When the controller has multiple purposes for the processing of data, consent should be obtained for each of them separately.

It shall be made as easy for the data subject to withdraw his/her consent as the process was when he/she provided consent.

The scope of data processed: data covered by the consent, the purpose of data processing: the purpose defined in the declaration of consent, the duration of data processing: the duration set out in the declaration of consent or until the withdrawal of consent.

Rights safeguarding private persons as data subjects: information, rectification, erasure, restriction of processing, right for notification, right to object, right to lodge a complaint, right for a remedy.

The data subject shall be notified of the transmission of his/her data towards a data processor.

3.2. Data Processing for Compliance with a Legal Obligation

General Provisions

Data processing necessitated by compliance with legal obligations shall not require consent from the data subject, because the data is processed based on law.

Regardless of the mandatory nature of the data processing, the data subject must be informed before and during the processing of the data, that data processing is mandatory and cannot be avoided. Furthermore, the data subject must be provided clear and detailed information on all significant aspects concerning the processing of his/her data before any data processing is initiated.

The information shall include: the purpose and legal basis of the data processing, the identity of the controller and the data processor, the duration of the data processing, as a legal basis the legal obligation that is being fulfilled and information on the persons who have access to the data.

The information should also cover the rights and remedies of the data subject with regard to data processing. In the case of mandatory data processing, the information may also be disclosed by the publication of a reference to the statutory provisions containing the foregoing information.

Rights safeguarding private persons as data subjects: information, rectification, right for notification, right to lodge a complaint, right for a remedy.

If personal data has been obtained with the consent of the data subject (e.g. registration on the website), and unless otherwise stipulated by the GDPR, the data controller may process the personal data recorded without further specific consent in order to fulfil its legal obligation, as well as it may continue to process the data even after the consent has been withdrawn or an objection has been made by the data subject.

Data covered by data processing: data required by law, the purpose of data processing: the purpose specified in the legislation, the duration of data processing: the period specified in the legislation.

The data subject shall be notified of the transmission of his/her data towards a data processor.

3.3. Data Processing in Connection with the Performance of a Contract

Pursuant to GDPR data may also be processed if it is necessary for the performance of a contract in which the data subject is party or the data processing and data collection are necessary for taking steps at the request of the data subject prior to entering into the contract.

3.4. Data Processing based on the Legitimate Interest of the Data Controller

In some cases, the legal basis for data processing is not the fulfilment of otherwise related legal obligations, but the so-called legitimate interest of the data controller, which requires that a legitimate interest assessment test is performed.

Sometimes, the data controller may have a further legitimate interest in processing the personal data of the data subjects, and this legitimate interest is not deriving from a statutory provision or the performance of a contract entered into with the data subject. Such legitimate interest may involve e.g. the purpose of protecting properties or the objective of assuring quality, etc.

In every case, the data controller shall define the purpose of data processing clearly and unambiguously. The range of data requested for processing from the data subject may only apply to cases where these are essentially relevant for the data controller’s operation.

The data controller explicitly considers the principle of necessity-proportionality, whether the applied method is suitable for attaining the purpose of data processing and whether it only involves data processing to the necessary extent.

Processing contact details of representatives and contact persons of those customers and potential customers, partners, subcontractors or suppliers (companies, institutions), authorities and natural persons, who are not considered data subjects:

The purpose of processing personal data: performance of a contract with a non-natural person as client, partner or subcontractor of the data controller and maintaining business relations.

Legal grounds for data processing: in general the performance of a contract, in case of official contact with an authority the fulfilment of a legal obligation.

Scope of personal data processed: name of natural person, his/her position in the company or organisation represented by him/her, official/business contact information: address, telephone number, email address, online identification.

Recipients of the personal data processed: employees and other contributors of the data controller who are performing tasks in connection with the performance of a contract or with maintaining contacts.

Duration of the data processing: contact details until a notification concerning changes in the contact person of the customer, partner, company, or authority is provided; data in contract documents as long as required by law.

Place and method of data storage: data is only stored electronically,

in case of contact details of the contact persons related to the administrative operational activities of the Company, in the cloud storage (Google Drive) licensed by the Company;

in case of data of employees of subcontractors involved in the development and testing of the BeLazy software, in a cloud storage hosting the development or testing environment;

related to sales and support, the data of contact persons of existing and potential clients in Freshdesk/Freshsales;

in case data for customers using the services of our Company, in the BeLazy software providing our Company’s service, on Microsoft Azure cloud platform and within Stripe for payment services.

Official, paper-based, mailed items constitute an exception to the above, as these are stored on paper in the administrative office of our Company.

Provisions concerning the method of transferring data: email are sent with TLS encryption, if however this algorithm is not supported by the email provider of the partner, the email may pass through the servers unencrypted. The partner may request that the attachments are sent encrypted.

Rights safeguarding private persons as data subjects: please refer to the section “Rights of Data Subjects” in this policy.

4.2. Data of Newsletter Recipients

The purpose of processing personal data: providing information on new and modified services, maintaining marketing and business contacts, assisting users.

Data collected and managed by statistical programs when using websites

We as data controller use Google Analytics to measure visitor traffic of our website. As part of the service information containing web analytics is transmitted. The transferred data is not suitable for identifying individual data subjects.

Further information regarding the privacy policy of Google is available at: https://support.google.com/analytics/answer/2700409.

Purpose of data processing: development of our website and its services

Data processed: statistics provided by Google Analytics with regards to the use of our website

Duration of the data processing: as long as the Internet services are being used

More information on the duration of storing cookies is available at:

General cookie policy of Google: https://www.google.com/policies/technologies/types/

Our data processors provide our company, BeLazy Ltd. with IT maintenance and development and accountancy services. The Data Processors shall store personal data on the basis of a contract with us as Data Controller. They are not authorised to access the personal data.

The Data Processor providing accountancy services shall participate in the bookkeeping of accounting documents based on a written contract with us as Data Controller. In doing so, the Data Processor processes the name and address of the data subject to the extent required for the accounting records for an appropriate period prescribed in the accounting legislation, and then deletes it immediately.

6. DATA SECURITY MEASURES

In all our data processing activities, we as controller also take all the technical and organizational measures to ensure the security of personal data and guarantee the rights of data subjects parallel to the legal and IT aspects. To this end, we created a separate policy for staff both members as well as for external persons performing IT tasks.

We as data controller safeguard personal data by operating and getting certified according to the international ISO/IEC 27001:2013 information security management standard.

In the automated processing of personal data, we as the data processor ensure the following:

preventing unauthorised data entry;

precluding the use of automated data processing systems by unauthorized persons using data transmission equipment;

the controllability and verifiability of the bodies to which personal data have been or may be transmitted by means of data transmission equipment;

the controllability and verifiability of who has entered, which personal data and when to the automated data processing systems;

recoverability of installed systems in case of malfunction and

reporting on errors that occur during automated processing.

7. PERSONAL DATA BREACHES

The GDPR, the European Union’s General Data Protection Regulation, imposes legal, IT, organisational and technical duties and consideration in general to prevent and address personal data breaches and to protect personal data.

Data security measures are used to prevent any personal data breach. The following measures have been introduced for addressing a personal data breach.

In particular, any of the following incidents can be considered a personal data breach: theft or loss of a “corporate” laptop or mobile phone, unauthorized access to databases containing personal data.

7.2. Addressing a Personal Data Breach

When a data breach is detected, the Managing Director must comply with the required reporting obligation.

As soon as possible and without undue delay, but not later than 72 hours after having become aware of a personal data breach, the competent supervisory authority has to be notified of the personal data breach.

The controller’s notification to the supervisory authority shall at least contain the following information pertaining to the personal data breach:

the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned,

the categories and approximate number of personal data records concerned,

the name and contact details of the contact point where more information can be obtained,

the likely consequences of the personal data breach,

the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide all information regarding the personal data breach and its solution at the time of reporting, the information available shall be provided at the time of the first reporting, while further information may be provided additionally to the supervisory authority in phases as these become available, but without undue further delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons concerned by the data breach, the controller shall communicate the personal data breach to the data subject in a clear and plain language and without undue delay.

The controller’s communication to the data subjects shall at least contain following data pertaining to the personal data breach:

nature of the personal data breach,

the name and contact details of the contact point where more information can be obtained,

the likely consequences of the personal data breach,

the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Further duties of the Managing Director:

Collecting further data and information with regards to the reported personal data breach.

Analysing the effective or potential impact of a personal data breach on the rights of the Company and data subjects.

Defining and implementing methods and steps to address a personal data breach and to restore the safe operation of the IT system. (If necessary and appropriate, a team of experts may be convened to this task, together with involving external experts.)

Logging and documenting the exposed results in the Records of Personal Data Breaches.

The supervisory authority shall be informed of the outcome of the assessment of the personal data breaches.

8. RIGHTS OF DATA SUBJECTS

General information on the particular rights in plain language

Right for information in advance

The data subject shall be entitled at any time to be informed in a comprehensible manner of the facts and information relating to the processing of the data, and this right shall exist in particular prior to the commencement of the processing of the data.

Right of access

The data subject shall have the right to obtain from the controller a concise and comprehensible confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the relating information stipulated in the EU Regulation.

Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall have the right to have faulty, incomplete personal data amended, completed.

Right to erasure/”right to be forgotten”

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay in certain cases.

This right of the data subject is particularly relevant to personal data processed on the basis of his/her consent. In certain other cases, e.g. when data is processed on the basis of fulfilling a legal obligation, this right is expressly limited.

Erasure is not applicable, where the processing of the data is a necessary:

for exercising the right of freedom of expression and information;

for compliance with a legal obligation which requires processing by Union or Member State law (such is the case when data is processed for invoicing purposes, as the law requires the invoices to be stored) to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

for the establishment, exercise or defence of legal claims (e.g. if the Data Controller has a claim against the data subject who has not yet complied with it, or if a complaint of a consumer or in connection with data processing is being processed).

Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing, where certain conditions are met. This case is mostly applicable in order to freeze a certain status of data processing, which is either a precedent of a dispute situation or a concrete dispute itself.

Notification obligation related to rectification or erasure of personal data or restriction of data processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed. Exemption: the controller is not expected to fulfil this obligation if it proves impossible or involves a disproportionate effort.

Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

Right to object

The data subject shall have the right to object at any time to processing of personal data concerning him or her if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. In this case the data subject may request manual, human intervention and decision making.

Communication of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons concerned by the data breach, the controller shall communicate the personal data breach to the data subject without undue delay.

Right to lodge a complaint with the supervisory authority (right to address an authority)

The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the EU data protection regulation.

Right to an effective judicial remedy against a supervisory authority

Every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him/her.

The right still prevails, if the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

Right to an effective judicial remedy against a controller or a processor

Every data subject shall have the right to start a civil lawsuit where he or she considers that his or her rights have been infringed as a result of the processing of his or her personal data in non-compliance with the EU Regulation.

9. PROCEDURES RELATED TO REQUESTS BY A DATA SUBJECT

9.1. Submission of a Request by a Data Subject

In conjunction with identifying him/herself, the data subject may submit an application to us as data controller via any means of his/her choice, such as:

by post

by electronic mail

by a proxy

or by other means.

9.2. Evaluation of an Application Submitted by a Data Subject

If we do not see any obstacle to the execution of the request of the data subject, we shall do so within 30 days and notify the data subject. We will execute the request, as far as possible, through the mode requested by the person concerned:

in case of a request for information: by email or by post,

in case of a request for rectification or a restriction of processing: by internal execution relevant to the stored data,

in case of a request for erasure through deleting the data,

in case of a request for data transmission or transfer by handing over the data (on a data storage medium, by email or in person),

in case of a decision sustaining an objection by producing the requested status.

If we deem that it is not possible to comply with the request of the data subject, we will inform the applicant of the refusal of the application and of his/her rights of appeal.

We, as data controller, are entitled and obliged to verify the identity of the applicant to ensure the confidentiality of the data and fulfil legal obligations. The method for identifying the applicant shall be, as far as possible, comparable to the way in which the data has been given and obtained.

We do not charge any costs or fees for our activities during the assessment of the applications submitted by a data subject. However, in case of repeated, unfounded, unreasonable requests, we are entitled to charge administrative costs.

AMENDING THE PERSONAL DATA PRIVACY POLICY

We reserve the right to modify this Personal Data Privacy Policy in a manner that does not affect the purpose and legal basis of the data processing. By using our website after the amendment enters into force, you accept the amended Personal Data Privacy Policy.

If we as data controller wish to carry out further data processing for purposes other than the purpose for which they were collected, we will inform the individual concerned about the purpose of the data processing and about the following information:

the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

the existence of the right to request from us as controller access to and rectification or erasure of personal data concerning the data subject or restriction of processing and where the processing is based on our legitimate interest the data subject may object to processing, and where the processing is based on consent or a contractual relation, the data subject has the right to data portability upon his/her request;

where the processing is based on consent, the data subject may withdraw his/her consent at any time;

the right to lodge a complaint with a supervisory authority;

whether the obtaining of data is based on legislation or contractual obligation, and whether it is a prerequisite for entering into a contract with us, and also whether the data subject is obligated to submit his data to us, and what consequences will it entail, should he/she refuse to provide his/her personal data;

if applicable the fact that automated decision making, including profiling, is involved, and if this is the case, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.